Comment About the Recent Cybersecurity Incident at MyHeritage

I have refrained from writing about the recent cybersecurity incident affecting MyHeritage because of my relationship with the company. I didn’t want to write anything that could be seen as either a positive or a negative comment. I prefer to remain neutral and let everyone  interpret the facts as they wish. However, the news services are now full of stories about the incident and some of those stories are highly inaccurate. Therefore, I will simply mention it here, invite everyone to read the details for themselves in the MyHeritage Blog, and then offer my comments.

The MyHeritage Blog provides the details at https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/ and then the follow-up article at https://blog.myheritage.com/2018/06/cybersecurity-incident-june-5-6-update/.

OK, having written the disclaimer above, I will now give my (possibly biased) interpretation of the incident:

It wasn’t much of a break-in.

The hackers stole a LOT of email addresses, but nothing else. They didn’t get any passwords simply because MyHeritage has rather good, although obviously not perfect, security. MyHeritage doesn’t save passwords so hackers cannot steal passwords from the company. The hackers also apparently did not obtain any other personal information, such as addresses, telephone numbers, credit card numbers, or anything else like that.

If MyHeritage had perfect security, the hackers wouldn’t have been able to access the email addresses at all. I guess the hackers now can send all of us spam mail to the stolen addresses but that’s about the worst thing they can do. There is no need for anyone to notify their bank or credit card company.

The folks at MyHeritage did the right thing, however. They wrote:

“Although no passwords leaked but only hashed versions of the passwords, we encouraged our users to change their password, and many already did so. However, to maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage.”

The requirement to change passwords is a good security precaution. It will inconvenience users who have to change their passwords but is still the prudent thing to do, “just in case” there was a bigger problem than what is believed to have happened. I changed my password a few minutes ago on MyHeritage and you will have to do the same if you have an account there.

I noticed that several online reports claim that hackers obtained both user names and passwords but that is incorrect, according to MyHeritage’s senior managers. The truth can be found in the MyHeritage Blog.

Again, that’s not much of a break-in.

You can find the details at https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/ and then the follow-up article at https://blog.myheritage.com/2018/06/cybersecurity-incident-june-5-6-update/.

 – Dick Eastman

9 Comments

92 million valid email addresses are gold to spammers, pishers and other crooks.

Like

MyHeritage should of notified their user base via email of the breech. I was appalled by their lack of communication and I am not buying the “don’t worry be happy” approach of telling us it was just the emails. Those email addresses are now worth money as they verified email addresses of genealogical purchasers. I am now no longer a MyHeritage customer.

Like

    MyHeritage DID notify their user base. I received my notice this morning.

    Of course, they are notifying something like 90 million users by email. I know from my own experience you can’t do that in a few minutes. Sending that many individual email messages requires several hours, even on the fastest Internet OC3 backbone connections. It is quite possible you haven’t received your notification yet but, if you are a MyHeritage user, you will receive it. (Look in your spam folder also… when anyone sends thousands or even millions of identical messages, quite a few of them will be diverted to spam folders by the receiving email servers.)

    Liked by 1 person

    If you look at the timing, the company did not know anything at all about the breach until late Monday night, when they were warned by a security expert that some information had been found that appeared to have been stolen from MyHeritage. The first thing they had to do was to verify the report, and then based on their early investigations, make a determination as too how bad the breach was and what steps they and their customers should take to protect themselves.

    It looks to me as if the ccompany posted their first public warning on the blog within about 24 hours of.the time they were first notified about a possible breach, and followed up with more specific details of their remedial plan withiin about 24 hours after that. Now, they have already begun to roll out individual notifications and instructions to all of their several million customers.

    That seems like exemplary performanceto me, especially when compared to several other muxh bigger and more famous companies whoch took months (or even years) to inform anybody at all of much more serious breaches.

    Like

For some reason, there are plenty of people who love to spread false information. I belong to two FB genealogy software user groups where there have been numerous “the sky is falling posts”. I really wish people would learn to search/research before posting false information. Instead of doing a PSA, they are performing a public disservice.

Like

Thank-you for the clarification!
Headlines can sometimes be inaccurate,
leading to undo stress.

Like

Please explain the term ‘hashed passwords’ and never hesitate to alert your loyal readers to security matters that effect us.

Like

Judging by what shows up in my Junk mail folder everyday, the spammers, phishers and crooks had my email long before the My Heritage breach. My email account is set to send all email that is not from a contact to my Junk folder. Every couple of days I peruse the file, move legit stuff to my inbox and delete the rest without opening. If in doubt throw it out.

Liked by 2 people

Leave a Reply

Name and email address are required. Your email address will not be published.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

You may use these HTML tags and attributes:

<a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <s> <strike> <strong> 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: